Benefits and Drawbacks of the Future Transition to Chip-and-Pin
Credit Card Technology in the United States
Cornell Patrick
[email protected]
Mentor: Ming Chow
12 December 2014
Outline of Contents
Abstract ………………………………………………………………………….……………………………………………………………… 3
Introduction ………………………………………………………………………………………………………………………………….. 4
To the Community ………………………………………………………………………………….……………………………………. 5
Security Threats for Magnetic Stripe Cards ……..……………………………………………….………………………. 6
Action Items ……………………………………………………………………………………………………………………………… 7
Security Flaws in Chip-and-PIN Cards ……………………………………………………………………………………… 7
An Interesting Alternative ……………………………………………………………………….………………………………….. 9
Conclusion ………………………………………………………………………….………………………………………………..………. 9
References …………………………………………………………………………………………………………….………………………. 11
Supplemental Materials ………………………………………………………………..…………………………….…..…………… 12
2
Abstract
Credit cards have become a staple method of the exchange of money in the modern world.
In the United States, the most widely used and most well-known type of credit card contains a
magnetic stripe, which magnetically encodes all of the significant information about the card and
its owner, as well as a signature space on the back, which in card-present (i.e. face-to-face)
transactions, represents a very antiquated method of security verification. The user of the credit
card then signs off the purchase, the merchant then compares the signature on the back of the
card to the signature on the receipt, and if they match, then the transaction is accepted.
However, this method is greatly outdated and has generally been replaced in many other
countries. The new kind of credit-card, abbreviated as chip-and-pin, appears to solve two major
security issues that the “old” credit card have: firstly, by replacing the outdated signature method
with the newer PIN method, the human error that inevitably occurs when comparing a real
signature to a forged one is removed, as the security verification is now computer-based, and
secondly, by replacing the magnetic stripe on the credit card with a computerized chip, it is much
more difficult to duplicate the information that is stored on the credit card.
Despite this
transition being a major step forward in terms of security, several downsides still exist with the
newer system and it is definitely not 100% safe and foolproof.
3
Introduction
On October 17th, 2014, President Barack Obama signed an executive order as part of the
BuySecure initiative to facilitate the transition from the outdated magnetic stripe to chip and PIN
to both existing and newly issued government credit and debit cards; additionally, each current
terminal at all federal locations will be replaced with new terminals that will accept these new
cards, a move that “will [finally] drive the market towards more secure payment systems.”
Furthermore, several stores will help jumpstart the late revolution to chip and PIN cards, and
both American Express and Visa have agreed to launch programs to support and educate both
consumers and merchants to the new system [1].
While the United States has been using the magnetic stripe alternative, many other
countries have shifted to the EMV (Europay, Mastercard, and Visa) standard, which involves
placing the card onto a contact plate, instead of the more traditional swipe that is required for
magnetic stripe cards at point-of-sale terminals [2]. Additionally, in many of these cases, instead
of providing a signature to verify the user of the card, the cardholder must provide a PIN number
which is then verified by the machine using the credentials of the card itself (although some chipand-signature cards do exist) [3].
A hotly debated question in this field is the reason for switching from magnetic stripe
credit cards to newer chip-and-PIN credit cards. According to a 2012 survey by the Aite Group
and ACI Worldwide, the United States currently sees the second highest rate of credit card fraud
in the world, at a shocking 42% of respondents who claim that they had experienced card fraud in
the past five years. While this can be partially attributed to the average US consumer using their
cards more frequently than most other nations, this statistic can also be due to the United States’
reluctance to comply with the ten-year-old EMV standard. This number is certainly very large
compared to European countries that have adopted this standard, with the United Kingdom at
4
about 34%, and at the bottom of the list, Sweden and the Netherlands at a mere 12% each [4].
However, the EMV system is obviously not-foolproof. Card-not-present (CNP) transactions (e.g.
online transactions) still are just as unsafe, as these types of transactions circumvent some of the
usual security measures that are implemented. Additionally, the “treadmill effect” will probably
come into play. Ross Anderson, a professor at the University of Cambridge, claims that “simply
blocking off one of the avenues of attacks by fraudsters isn’t enough to make fraud vanish.” [5]
EMV chip data can still be extracted by compromising the card reader itself. Those who are
critical of this change rightfully question whether it is worth the millions of dollars being poured
into making this happen.
To the Community
Credit cards are a critical part of modern-day society in America. Regardless of whether
one works in the cybersecurity field or not, the security of credit cards is a major worry that
almost every American should have. This paper is directed at those who want an introductory but
sophisticated view into the benefits and downsides of switching from an outdated system in
magnetic stripe credit cards to a newer system in chip-and-PIN credit cards. I chose to write on
this topic because it has an overarching effect on almost every single American adult, and it
affects both those who are and those who aren’t interested in computer security equally; as stated
before, credit card vulnerabilities affect a large number of Americans, and a potential solution at
decreasing this number has recently been implemented in our federal system. This issue has only
received some of the mainstream attention it deserves, but the issue of the security of credit cards
is a significant issue that has yet to be solved.
5
Security Threats for Magnetic Stripe Cards
The largest threat for magnetic stripe cards is perhaps the easiest way to obtain one’s
credit card information in card-present transactions. This process is called card skimming, where
a small physical device is placed somewhere near the POS apparatus used to swipe cards. This
device will also scan your card, and can either store it or wirelessly transmit it to the attacker.
From here, with the magnetic information, an attacker may write this information to another card
with a magnetic stripe, and because all of the card’s data was simply magnetically encoded onto
the victim’s card, the second card will function identically to the first [2]. According to a 2010 U.S.
Secret Service data breach report, approximately 30 percent of data breaches involved physical
tampering and/or skimming. Cards that do not use this magnetic stripe, however, would not be
vulnerable to very inexpensive card skimmers [6].
The second major security threat in magnetic stripe cards is the very basic signature
verification for proving the user’s identity. This sort of secondary security validation can prove to
be very unreliable for two reasons. First, more often than not nowadays, US merchants (e.g.
grocery and department stores) will actually not attempt to verify the user’s signature against the
cardowner’s signature. This oversight would essentially guarantee that the theft of a credit card
would undoubtedly lead to fraudulent activity on the card. Secondly, for those merchants that try
to verify the user’s signature, human error still exists. It can be difficult to match signatures,
when not only would two signatures by different people look very similar, but two signatures by
the same person can look quite different. The secondary security validation of the magnetic
stripe cards (and of the chip-and-signature cards) is frankly, very archaic, not very reliable, and
should not be used as any sort of verification technique.
6
Action Items
As previously stated, an important step to prevent skimming and signature forgery is to
switch to the EMV-standard chip-and-PIN credit cards. The facilitation of this process will be
catalyzed by Visa’s October 1st, 2015 date to shift liability for counterfeit fraud to the merchant if
he does not have a device that is compatible with the new cards. However, this is only the first
step in mitigating what has become a tremendous problem.
The EMV standard, as previously stated, only affects card-present transactions. However,
this potential transition would not affect CNP transactions, such as online shopping, a very large
industry in the United States. This paper will not thoroughly analyze each of these potential
steps, but will nonetheless list several methods for a revolutionary security solution to prevent
credit-card attackers. Each online third-party should theoretically be scrubbed to ensure that PCI
standards are met through static and dynamic analyses, and the teams that do this should
determine whether extra layers of security are required. Furthermore, the PCI standards should
be updated to facilitate the upkeep required for the transition to the EMV standard.
Unfortunately, despite all the security measures that can be placed, attackers will
undoubtedly always succeed in cracking through various security layers and obtaining sensitive
data. In these action items, it is nonetheless imperative to implement these sweeping changes, so
that not only would it be less likely for attackers to succeed, but also, any damage can be more
easily mitigated, and flaws can be more easily addressed.
Security Flaws in Chip-and-PIN Cards
Unfortunately, several critical security flaws still exist in chip-and-PIN cards. At Black Hat
USA 2011, Andrea Barisani, demonstrated that the newer EMV cards still supported “legacy
transactions,” meaning that even though the card itself may be safe, the user’s PIN may be
7
compromised. A “legacy transaction” is a standard with static data authentication, which means
that the same, unencrypted key is used in each transaction. Thus, a new kind of skimming device
can be attached to execute a type of “man-in-the-middle” attack, where the legacy transaction is
forced to be executed, and where neither the card nor the point-of-sale terminal will be able to
defend against such an attack. A user’s PIN will be transmitted “in the clear,” and the skimmer
will be able to save this information [7].
Chip-and-PIN cards may be “safer” in card-present transactions, but unfortunately, they
are no different than their magnetic stripe counterparts when it comes to CNP transactions. In
the United Kingdom, from 2000 to 2010, CNP fraud losses grew by a factor of about three.
According to the Financial Fraud Action in the United Kingdom, “lost/stolen or counterfeit cards
accounted for a much smaller percentage of overall fraud … while CNP fraud became the source of
almost two-thirds of all fraud losses.” As many security experts note, including Rob Havelt, “they
might have [security] controls that are really good, or good enough, for right now. But tomorrow,
next week, a month from now, or next year, they [the security measures] might not be.” [10] This
quote does hold true in the credit card security sector: with improvements to the credit card POS
transactions came a rise in CNP fraud.
Another security flaw, now fixed for the most part, was discovered by experts in July 2012.
MWR InfoSecurity, based in the United Kingdom, acquired several second-hand POS terminals
and was able to access the code that these machines run. From here, they were able to formulate
a malicious virus onto a card that, when used in shops, would infect other card readers, allowing
them to store all the data obtained, which could be downloaded with a second card. This feat was
also repeated at Black Hat 2012 [11].
8
An Interesting Alternative
SmartMetric, Inc. offers a very interesting alternative that builds on the EMV standard.
Instead of using a PIN for secondary verification, which the company claims is the “weak security
link in the EMV chip card,” their biometric solution has a fingerprint scanner on the card. By
introducing a fingerprint scanner into their cards, SmartMetric attempts to guarantee that the
validation and authentication of the user is correct, in both CNP and CP transactions [9]. If this
product is fully developed and used widely, it could mark another giant leap in credit card
security.
Conclusion
Despite the various downsides that would exist in a post-EMV United States, it would be
very beneficial for the United States to transition to the EMV standard. Joining most of the rest of
the world would be very beneficial for US citizens who are currently unable to use their credit
cards abroad in Europe. But why did this not happen over twenty years ago when the first EMV
standards were released?
One reason may be that US merchants would have to invest in
upgrading their POS terminals to support chip-embedded cards, not the government or the credit
card companies [8]. Additionally, very many cards would need to be reissued, and financial
institutions would also need to invest quite a bit of money to support the EMV standard cards.
However, to help counteract the resistance from US merchants, from October 1, 2015, Visa has
outlined a very important initiative: if a non-fuel selling merchant is presented with a chipembedded card, but the merchant cannot support this card, any fraud liability could be shifted to
the merchant, instead of the user of the card [2]. In conclusion, even when the US will eventually
transition to the EMV standard, there will always be attackers looking to obtain sensitive credit
9
card data, and even if every merchant upgrades his security protocols for CNP transactions, credit
card fraud will always be something that consumers will have to be wary about.
10
References
[1]
The White House. FACT SHEET: Safeguarding Consumers’ Financial Security. The White House. N.p., 17 Oct. 2014. Web.
<http://www.whitehouse.gov/the-press- office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security>
[2]
"Battling Card Fraud through Chip and PIN Technology." Battling Card Fraud through Chip and PIN Technology (2011): n. pag.
2011. Web.
<http://www.diebold.com/Diebold%20Asset%20Library/dbd_emvcardfraudchipandpintechnology_whitepaper.pdf>
[3]
"The Great EMV Debate: Chip-and-PIN vs. Chip-and-signature." The Great EMV Debate: Chip-and-PIN vs. Chip-and-signature.
TSYS: People-Centered Payments, n.d. Web.
<http://www.tsys.com/acquiring/engage/articles/The-Great-EMV-Debate-Chip-and-PIN-vs-Chip-and-signature.cfm>
[4]
Touryalai, Halah. "Countries With The Most Card Fraud: U.S. And Mexico." Forbes. Forbes Magazine, 22 Oct. 2012. Web.
<http://www.forbes.com/sites/halahtouryalai/2012/10/22/countries-with-the-most-card-fraud-u-s-and-mexico/>
[5]
Yu, Alan. "Outdated Magnetic Strips: How U.S. Credit Card Security Lags." NPR. NPR, 19 Dec. 2013. Web.
<http://www.npr.org/blogs/alltechconsidered/2013/12/19/255558139/outdated-magnetic-strips-how-u-s-credit-cardsecurity-lags>
[6]
King, Douglas. Chip-and-Pin: Success and Challenges in Reducing Fraud. Federal Reserve Bank of Atlanta. Federal Reserve Bank
of Atlanta, Jan. 2012.
[7]
"Legacy Support Leaves Chip-And-PIN Vulnerable." Dark Reading. Information Week, 1 Aug. 2011. Web.
<http://www.darkreading.com/vulnerabilities-and-threats/legacy-support-leaves-chip-and-pin-vulnerable-/d/did/1099279>
[8]
Schwartz, Mathew J. "Target Breach: Why Smartcards Won't Stop Hackers." Dark Reading. Information Week, 24 Jan. 2014.
Web.
<http://www.darkreading.com/attacks-and-breaches/target-breach-why-smartcards-wont-stop-hackers-/d/did/1113565>
[9]
Smart Metric: Protecting the World Digitally. Smart Metric, n.d. Web. <http://www.smartmetric.com/>
[10]
"SMART TRADEOFF? EMV Reduces Most Fraud, except Card-not-present." Nice Actimize News. Actimize, n.d. Web.
<http://www.niceactimize.com/index.aspx?page=news603>
11
[11]
Owano, Nancy. "Chip and Pin Terminals Shown to Harvest Customer Info." Phys.org. Science X Network, 31 July 2012. Web.
<http://phys.org/news/2012-07-chip-pin-terminals-shown-harvest.html>
Supplemental Materials
Please visit <https://github.com/cornellpatrick/CC> for supplemental material.
12